Zero-Day, Local Privilege Escalation, Linux, Dirty Frag, CVE-2026-43284, CVE-2026-43500
Source Material: V4bel GitHub | Technology: Linux Kernel (Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, Fedora) | Targeted Industries: Opportunistic / Broadly Targeted
Executive Summary
“Dirty Frag” is a newly disclosed, unpatched local privilege escalation (LPE) zero-day affecting most major Linux distributions. An unrelated third party unexpectedly broke the disclosure embargo on May 7, 2026, and published an exploit, causing the security researcher who reported the vulnerability to release complete documentation to the public, including a functional Proof of Concept (PoC). Given the absence of a patch and the public availability of exploit code, in-the-wild exploitation is imminent, allowing any local attacker or compromised low-privilege service to achieve full root system compromise on affected Linux distributions with a single command.
Threat Overview and Strategic Impact
Discovered by Hyunwoo Kim, “Dirty Frag” extends the bug class associated with previous vulnerabilities like “Dirty Pipe” and “Copy Fail”. The vulnerability achieves root privileges by chaining two separate page-cache write flaws: the xfrm-ESP vulnerability (CVE-2026-43284) and the RxRPC vulnerability (CVE-2026-43500). These vulnerabilities exploit the fragment field (frag) of the sk_buff kernel data structure.
The attack manipulates a zero-copy send path, allowing an unprivileged user to modify protected, read-only system files (such as /etc/passwd or /usr/bin/su) in the system’s RAM. By chaining these two vulnerabilities, the exploit covers blind spots across different distributions, offering a high success rate.
Unlike many kernel exploits, Dirty Frag is highly reliable because it is a deterministic logic flaw. Attackers do not need to win a race condition or align timing windows, and failed exploit attempts will not crash the system. As these flaws have existed in the Linux kernel for approximately nine years, the strategic impact is severe. Threat actors can leverage this zero-day to escalate privileges on already compromised systems across virtually all enterprise environments utilizing Linux, including Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora.
Security Hardening and Recommendations
While the xfrm-ESP vulnerability was patched in the mainline Linux kernel on May 8 (f4c50a4034e6), no major Linux distributions have released backported updates for their operating systems yet. Organizations must rely on mitigation strategies until these official patches become available.
Until distribution maintainers release official backported patches, organizations should remove the vulnerable kernel modules (esp4, esp6, and rxrpc) and clear the contaminated page cache to block the exploit. This can be accomplished with the following command:
sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true”
Note: Applying this mitigation will break IPsec VPNs and AFS distributed network file systems. Organizations should evaluate the operational impact before deploying this fix.
Detection Strategy
Detection relies on monitoring for suspicious unprivileged user namespace creations and unexpected modifications to critical system files like /etc/passwd and /usr/bin/su. Security teams should look for anomalous executions of su without associated PAM prompts, or abnormal loading of the esp4, esp6, or rxrpc kernel modules by unprivileged users.
How Deepwatch Protects Our Customers
Deepwatch Adversary Tactics & Intelligence (ATI) is actively analyzing the threat landscape for updates regarding the “Dirty Frag” vulnerability, in the wild exploitation activity, associated IOCs, and the release of official patches. Deepwatch Guardians are continuously monitoring our telemetry for indicators of local privilege escalation and suspicious modifications to sensitive Linux authentication files.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Hunt for instances of users executing unshare with CLONE_NEWUSER and CLONE_NEWNET flags followed by network configuration changes or modifications to root-owned binaries.
- Review instances where page cache drops are manually invoked (echo 3 > /proc/sys/vm/drop_caches) by suspicious local processes.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- N/A (Due to the general availability of the PoC, it can be leveraged by any actor with initial access)
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Adversaries exploit kernel flaws togain root privileges. |
| Defense Evasion | Modify System Image | T1601 | Modifying system binaries in memory (e.g., /usr/bin/su). |
Vulnerabilities:
- CVE-2026-43284 (xfrm-ESP Page-Cache Write) – Base Score: 7.8 HIGH
- CVE-2026-43500 (RxRPC Page-Cache Write) – Base Score: N/A (Reserved/Pending)
Malware/Tool:
- Dirty Frag PoC Exploit
Additional Sources
- OSS-Security Mailing List: Dirty Frag
- NVD: CVE-2026-43284
- New Linux ‘DirtyFrag’ gives root on all major distros
Share